SMT Solvers: Theory and Practice - Max Planck Society · SMT Solvers: Theory and Practice Clark...

SMT Solvers: Theory and Practice

Clark Barrett

[email protected]

New York University

Summer School on Verification Technology, Systems & Applications, September 17, 2008 – p. 1/125

Exercise

There is a triangle of 15 pegs with one missing. You have tojump pegs until there is only one left.

X

X X

X O X

X X X X

X X X X X


SMT solvers: Motivation

SAT solvers are automatic and efficient.

As a result, they are frequently used as the “engine” behindverification applications.

However, systems are usually designed and modeled at ahigher level than the Boolean level and the translation toBoolean logic can be expensive.

A primary goal of research in Satisfiability Modulo Theories(SMT) is to create verification engines that can reasonnatively at a higher level of abstraction, while still retaining thespeed and automation of today’s Boolean engines.


Roadmap

Satisfiability Modulo Theories

• First-Order Logic• Specific Theories• Theory Solvers• Combining Theory Solvers• Combining with SAT• Modeling in SMT


SMT Solvers: Language

Whereas the language of SAT solvers is Boolean logic, thelanguage of SMT solvers is first-order logic [End00].

The language includes the Boolean operations of Booleanlogic, but instead of propositional variables, more complicatedexpressions involving constant, function, and predicatesymbols are used.

Examples of predicates

• f(x) = f(y)

• x+ y < z

• a ∈ S


First-Order Logic: Syntax

As with propositional logic, expressions in first-order logic aremade up of sequences of symbols.

Symbols are divided into logical symbols and non-logicalsymbols or parameters.



Logical Symbols

• Parentheses: (, )

• Propositional connectives: ¬, ∨, ∧, →, ↔• Variables: v1, v2, . . .• Quantifiers: ∀, ∃

Parameters

• Equality symbol (optional): =

• Predicate symbols: e.g. p(x), x > y

• Constant symbols: e.g. 0, John, π• Function symbols: e.g. f(x), x+ y, x+[2] y



Each predicate and function symbol has an associated arity:a natural number indicating how many arguments it takes.

Equality is a special predicate symbol of arity 2.

Constant symbols can also be thought of as functions whosearity is 0.

A first-order language must first specify its parameters.


First-Order Languages: Examples

Propositional Logic

• Equality: no• Predicate symbols: A1, A2, . . .• Constant symbols: none• Function symbols: none

Set Theory

• Equality: yes• Predicate symbols: ∈• Constant symbols: ∅• Function symbols: none


First-Order Languages: Examples

Elementary Number Theory

• Equality: yes• Predicate symbols: <• Constant symbols: 0

• Function symbols: S (successor), +, ×, exp


First-Order Logic: Terms

The first important concept on the way to defining well-formedformulas is that of terms.

For each function symbol f of arity n, we define aterm-building operation Ff :

Ff (α1, . . . , αn) = fα1, . . . , αn

Note that we are using prefix notation to avoid ambiguity.

The set of terms is the set of expressions generated from theconstant symbols and variables by the Ff operations.

Terms are expressions which name objects.

TheoremThe set of terms is freely generated from the set of variablesand constant symbols by the Ff operations.


First-Order Logic: Formulas

Atomic FormulasAn atomic formula is an expression of the form: Pt1, . . . , tnwhere P is a predicate symbol of arity n and t1,. . . ,tn areterms.

If the language includes the equality symbol, we consider theequality symbol to be a special predicate of arity 2.

FormulasWe define the following formula-building operations:

• E¬(α) = (¬α)

• E→(α, β) = (α→ β)

• Qi(α) = ∀ vi α


First-Order Logic: Formulas

The set of well-formed formulas is the set of expressionsgenerated from the atomic formulas by the operations E¬, E→,and Qi i = 1, 2, . . . .

This set is also freely generated.


Formula Examples

In the language of elementary number theory introducedabove, which of the following are terms?1. v6

v2 + v3 yes

∀ v1. 0 × v1 = 0


Formula Examples

In the language of elementary number theory introducedabove, which of the following are terms?1. v6 yes2. v2 + v3

v2 + v3 yes

∀ v1. 0 × v1 = 0


Formula Examples

In the language of elementary number theory introducedabove, which of the following are terms?1. v6 yes2. v2 + v3 yes3. P1 ∧ P2

∀ v1. 0 × v1 = 0


Formula Examples

In the language of elementary number theory introducedabove, which of the following are terms?1. v6 yes2. v2 + v3 yes3. P1 ∧ P2 no

atomic formulas?1. (v1 + 0)v2 = S(v3)

∀ v1. 0 × v1 = 0


Formula Examples


atomic formulas?1. (v1 + 0)v2 = S(v3) yes2. ¬(v2 = v3)

∀ v1. 0 × v1 = 0


Formula Examples


atomic formulas?1. (v1 + 0)v2 = S(v3) yes2. ¬(v2 = v3) no

well-formed formulas?1. ¬(v2 = v3)

∀ v1. 0 × v1 = 0


Formula Examples



well-formed formulas?1. ¬(v2 = v3) no

∀ v1. 0 × v1 = 0


Formula Examples



well-formed formulas?1. ¬(v2 = v3) no2. 0 × v1

∀ v1. 0 × v1 = 0


Formula Examples



well-formed formulas?1. ¬(v2 = v3) no2. 0 × v1 no3. ∀ v1. 0 × v1 = 0


Formula Examples



well-formed formulas?1. ¬(v2 = v3) no2. 0 × v1 no3. ∀ v1. 0 × v1 = 0 yes


Free and Bound Variables

We define by recursion what it means for a variable x to occurfree in a wff α:

• If α is an atomic formula, then x occurs free in α iff xoccurs in α.

• x occurs free in (¬α) iff x occurs free in α.

• x occurs free in (α→ β) iff x occurs free in α or in β.• x occurs free in ∀ vi α iff x occurs free in α and x 6= vi.

If ∀ vi appears in α, then vi is said to be bound in α.

If no variable occurs free in a wff α, then α is a sentence.


First-Order Logic: Semantics

In propositional logic, the truth of a formula was determinedby a truth assignment over the propositional symbols.

In first-order logic, we use a model (also called a structure) todetermine the truth of a formula.



A signature is a set of non-logical symbols (predicates,constants, and functions). Given a signature Σ, a model M ofΣ consists of the following:

1. A nonempty set called the domain of M , written dom(M).Elements of dom(M) are also referred to as elements ofM .

2. A mapping from each constant c in Σ to an element cM ofM .

3. A mapping from each n-ary function symbol f in Σ to fM ,an n-ary function from [dom(M)]n to dom(M).

4. A mapping from each n-ary predicate symbol p in Σ topM ⊆ [dom(M)]n, an n-ary relation on the set dom(M).


Example

Consider the signature corresponding to the language of settheory which has a single predicate symbol ∈ and a singleconstant symbol ∅.

A possible model M for this signature has dom(M) = N , theset of natural numbers, ∈M=<, and ∅M = 0.

Now consider the sentence ∃x ∀ y ¬y ∈ x.


Example




What does this sentence mean in this model?


Example





The translation of the sentence in the model M is that there isa natural number x such that no other natural number issmaller than x.


Example






Is this sentence true in the model?


Example






Is this sentence true in the model?

Since 0 has this property, the sentence is true in this model.



We will often use a shorthand when discussing bothsignatures and models. The signature shorthand lists eachsymbol in the signature.

The model shorthand lists the domain and the interpretationof each symbol of the signature.

The signature for set theory can thus be described as (∈, ∅),and the above model as (N , <, 0).



Given a model M , a variable assignment s is a function whichassigns to each variable an element of M .

Given a wff φ, we say that M satisfies φ with s and write|=M φ[s] if φ is true in the model M with variable assignments.

To define this formally, we first define the extensions : T → dom(M), a function from the set T of all terms into thedomain of M :

1. For each variable x, s(x) = s(x).

2. For each constant symbol c, s(c) = cM .

3. If t1,. . . ,tn are terms and f is an n-ary function symbol,then s(ft1, . . . , tn) = fM(s(t1), . . . , s(tn)).


Logical Definitions

Suppose Σ is a signature. A Σ-formula is a well-formedformula whose non-logical symbols are contained in Σ.

Let Γ be a set of Σ-formulas. We write |=M Γ[s] to signify that|=M φ[s] for every φ ∈ Γ.

If Γ is a set of Σ-formulas and φ is a Σ-formula, then Γlogically implies φ, written Γ |= φ, iff for every model M of Σand every variable assignment s, if |=M Γ[s] then |=M φ[s].

We write ψ |= φ as an abbreviation for {ψ} |= φ.

ψ and φ are logically equivalent (written ψ |= |=φ) iff ψ |= φ andφ |= ψ.

A Σ-formula φ is valid, written |= φ iff ∅ |= φ (i.e. |=M φ[s] forevery M and s).


Examples

Suppose that P is a unary predicate and Q a binarypredicate. Which of the following are true?1. ∀ v1 Pv1 |= Pv2

∀x ∃ y Qxy |= ∃ y ∀x Qxy


Examples

Suppose that P is a unary predicate and Q a binarypredicate. Which of the following are true?1. ∀ v1 Pv1 |= Pv2 True

2. Pv1 |= ∀ v1 Pv1



Examples


2. Pv1 |= ∀ v1 Pv1 False

3. ∀ v1 Pv1 |= ∃ v2 Pv2



Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True

4. ∃x ∀ y Qxy |= ∀ y ∃x Qxy



Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True

4. ∃x ∀ y Qxy |= ∀ y ∃x Qxy True

5. ∀x ∃ y Qxy |= ∃ y ∀x Qxy


Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True


5. ∀x ∃ y Qxy |= ∃ y ∀x Qxy False

6. |= ∃x (Px→ ∀ y Py)


Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True



6. |= ∃x (Px→ ∀ y Py) True

Which models satisfy the following sentences?1. ∀x ∀ y x = y


Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True



6. |= ∃x (Px→ ∀ y Py) True

Which models satisfy the following sentences?1. ∀x ∀ y x = y Models with exactly one element.2. ∀x ∀ y Qxy


Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True



6. |= ∃x (Px→ ∀ y Py) True

Which models satisfy the following sentences?1. ∀x ∀ y x = y Models with exactly one element.2. ∀x ∀ y Qxy Models (A,R) where R = A× A.3. ∀x ∃ y Qxy


Examples



3. ∀ v1 Pv1 |= ∃ v2 Pv2 True



6. |= ∃x (Px→ ∀ y Py) True

Which models satisfy the following sentences?1. ∀x ∀ y x = y Models with exactly one element.2. ∀x ∀ y Qxy Models (A,R) where R = A× A.3. ∀x ∃ y Qxy Models (A,R) where dom(R) = A.


Validity and Satisfiability Modulo Theories

A theory is a set of sentences. For a given signature Σ, aΣ-theory is a set of sentences, each of which is a Σ-formula.

We will assume for convenience that theories are closedunder logical implication.

Given a Σ-theory T , a Σ-formula φ is

1. T -valid if |=M φ[s] for all models M of T and all variableassignments s.

2. T -satisfiable if there exists some model M of T andvariable assignment s such that |=M φ[s].

3. T -unsatisfiable if 6|=M φ[s] for all models M of T and allvariable assignments s.


Validity and Satisfiability Modulo Theories

The validity problem for T is the problem of deciding, for eachΣ-formula φ, whether φ is T -valid.

The satisfiability problem for T is the problem of deciding, foreach Σ-formula φ, whether φ is T -satisfiable.

Similarly, one can define the quantifier-free validity problemand the quantifier-free satisfiability problem for a Σ-theory Tby restricting the formula φ to be quantifier-free.

Note that validity problems can always be reduced tosatisfiability problems:

φ is T -valid iff ¬φ is T -unsatisfiable.

We will consider a few examples of theories which are ofparticular interest in verification applications [MZ03].


Roadmap




The Theory TE of Equality

The theory TE of equality is the empty theory.

The theory does not restrict the possible values of symbols inany way. For this reason, it is sometimes called the theory ofequality with uninterpreted functions (EUF).

The satisfiability problem for TE is just the satisfiabilityproblem for first order logic, which is undecidable.

The satisfiability problem for conjunctions of literals in TE isdecidable in polynomial time using congruence closure.


The Theory TZ of Integers

Let ΣZ be the signature (0, 1,+,−,≤).

Let AZ be the standard model of the integers with domain Z.

Then TZ is defined to be the set of all ΣZ-sentences true inthe model AZ .

As showed by Presburger in 1929, the general satisfiabilityproblem for TZ is decidable, but its complexity istriply-exponential.

The quantifier-free satisfiability problem for TZ is “only”NP-complete.


The Theory TZ of Integers

Let Σ×Z be the same as ΣZ with the addition of the symbol ×

for multiplication, and define A×Z and T×

Z in the obvious way.

The satisfiability problem for T×Z is undecidable (a

consequence of Gödel’s incompleteness theorem).

In fact, even the quantifier-free satisfiability problem for T×Z is

undecidable.


The Theory TR of Reals

Let ΣR be the signature (0, 1,+,−,≤).

Let AR be the standard model of the reals with domain R.

Then TR is defined to be the set of all ΣR-sentences true inthe model AR.

The satisfiability problem for TR is decidable, but thecomplexity is doubly-exponential.

The quantifier-free satisfiability problem for conjunctions ofliterals (atomic formulas or their negations) in TR is solvable inpolynomial time, though exponential methods (like Simplex orFourier-Motzkin) tend to perform best in practice.


The Theory TR of Reals

Let Σ×R be the same as ΣR with the addition of the symbol ×

for multiplication, and define A×R and T×

R in the obvious way.

In contrast to the theory of integers, the satisfiability problemfor T×

R is decidable though the complexity is inherentlydoubly-exponential.


The Theory TA of Arrays

Let ΣA be the signature (read ,write ).

Let ΛA be the following axioms:

∀ a ∀ i ∀ v (read (write (a, i, v), i) = v)∀ a ∀ i ∀ j ∀ v (i 6= j → read (write (a, i, v), j) = read (a, j))∀ a ∀ b ((∀ i (read (a, i) = read (b, i))) → a = b)

Then TA = Cn ΛA.

The satisfiability problem for TA is undecidable, but thequantifier-free satisfiability problem for TA is decidable (theproblem is NP-complete).


Theories of Inductive Data Types

An inductive data type (IDT) defines one or moreconstructors, and possibly also selectors and testers.

Example: list of int

• Constructors: cons : (int, list) → list, null : list

• Selectors: car : list → int, cdr : list → list

• Testers: is cons, is null

The first order theory of a inductive data type associates afunction symbol with each constructor and selector and apredicate symbol with each tester.

Example: ∀x : list. (x = null ∨ ∃ y : int, z : list. x = cons(y, z))


Theories of Inductive Data Types

An inductive data type (IDT) defines one or moreconstructors, and possibly also selectors and testers.

Example: list of int

• Constructors: cons : (int, list) → list, null : list

• Selectors: car : list → int, cdr : list → list

• Testers: is cons, is null

For IDTs with a single constructor, a conjunction of literals isdecidable in polynomial time [Opp80].

For more general IDTs, the problem is NP complete, butreasonbly efficient algorithms exist in practice[ZSM04a, ZSM04b, BST07].


Other Interesting Theories

Some other interesting theories include:

• Theories of bit-vectors[CMR97, Möl97, BDL98, BP98, EKM98, GBD05]

• Fragments of set theory [CZ00]• Theories of pointers and reachability:

[RBH07, YRS+06, LQ08]


Roadmap




Theory Solvers

The theory reasoning in an SMT solver is done with a theorysolver.

Given a Σ-theory T , a theory solver for T takes as input a setof Σ-literals and determines whether the set is satisfiable orunsatisfiable.

We next consider some examples of theory solvers.


Congruence Closure [NO80]

Let G = (V,E) be a directed graph such that for each vertex vin G, the successors of v are ordered.

Let C be any equivalence relation on V .

The congruence closure C∗ of C is the finest equivalencerelation on V that contains C and satisfies the followingproperty for all vertices v and w:

Let v and w have successors v1, . . . , vk and w1, . . . , wl

respectively. If k = l and (vi, wi) ∈ C∗ for 1 ≤ i ≤ k,then (v, w) ∈ C∗.


Congruence Closure

In other words, if the corresponding successors of v and ware equivalent under C∗, then v and w are themselvesequivalent under C∗.Often, the vertices are labeled by some labeling function λ. Inthis case, the property becomes:

If λ(v) = λ(w) and if k = l and (vi, wi) ∈ C∗ for1 ≤ i ≤ k, then (v, w) ∈ C∗.


A Simple Algorithm

Let C0 = C and i = 0.1. Number the equivalence classes in Ci starting with 1.

2. Let α assign to each vertex v the number α(v) of theequivalence class containing v.

3. For each vertex v construct a signatures(v) = λ(v)(α(v1), . . . , α(vk)), where v1, . . . , vk are thesuccessors of v.

4. Group the vertices into classes of vertices having equalsignatures.

5. Let Ci+1 be the finest equivalence relation on V such thattwo vertices equivalent under Ci or having the samesignature are equivalent under Ci+1.

6. If Ci+1 = Ci, let C∗ = Ci; otherwise increment i andrepeat.


Congruence Closure and TE

Recall that TE is the empty theory with equality over somesignature Σ containing only function symbols.

If Γ is a set of ground Σ-equalities and ∆ is a set of groundΣ-disequalities, then the satisfiability of Γ ∪ ∆ can bedetermined as follows.

• Let G be a graph which corresponds to the abstractsyntax trees of terms in Γ ∪ ∆, and let vt denote thevertex of G associated with the term t.

• Let C be the equiavlence relation on the vertices of Ginduced by Γ.

• Γ ∪ ∆ is satisfiable iff for each s 6= t ∈ ∆, (vs, vt) 6∈ C∗.


An Algorithm for TE

union and find are abstract operations for manipulatingequivalence classes.

union(x, y) merges the equivalence classes of x and y.

find(x) returns a unique representative of the equivalenceclass of x.

CC(Γ,∆)Construct G(V,E) from terms in Γ and ∆.while Γ 6= ∅Remove some equality a = b from Γ;Merge(a, b);

if find(a) = find(b) for some a 6= b ∈ ∆ thenreturn False;

return True;


An Algorithm for TE

Merge(a, b)if find(a) = find(b) then return ;Let A be the set of all predecessorsof all vertices equivalent to a;

Let B be the set of all predecessorsof all vertices equivalent to b;

union(a, b);foreach x ∈ A and y ∈ B

if s(x) = s(y) then Merge(x, y);


Shostak’s Method

In 1984 [Sho84], Robert Shostak published a paper whichdetailed a particular strategy for deciding satisfiability ofquantifier-free formulas in certain kinds of theories.

The original version promises three main things:

1. For theories T which meet the criteria (we will call theseShostak theories), the method gives a decision procedurefor quantifier-free T -satisfiability.

2. The method has the theory TE “built-in”, so for anyShostak theory T , the method gives a decision procedurefor quantifier-free T ∪ TE-satisfiability.

3. Any two Shostak theories T1 and T2 can be combined toform a new Shostak theory T1 ∪ T2.


Shostak’s Method

Unfortunately, the original paper contains many errors and anumber of papers have since been dedicated to correctingthem [CLS96, RS01, Gan02, BDS02b, KC03].

When the dust settled, it finally became clear that the first twoclaims can be justified, but the last one is false.

Most proponents of the method now agree that any attempt tocombine theories is best understood in the context of theNelson-Oppen method.

However, in this context, there is much that can be learnedfrom Shostak’s method.


Shostak’s Method

The first helpful insight is how to build a decision procedurefor a single Shostak theory.

Recall that the Nelson-Oppen method gives a decisionprocedure for a combination of theories given decisionprocedures for the component theories.

However, the Nelson-Oppen method provides no help on howto build the decision procedures for the component theories.

Shostak provides one solution for the special case of Shostaktheories.


Shostak Theories

A consistent theory T with signature Σ is a Shostak theory ifthe following conditions hold.


Shostak Theories


1. Σ does not contain any predicate symbols.


Shostak Theories



2. T is convex.


Shostak Theories



2. T is convex.Recall that a theory T is convex if for any conjunction ofliterals ϕ and variables x1, . . . xn, y1, . . . , yn,

T ∪ φ |= x1 = y1 ∨ · · · ∨ xn = yn impliesT ∪ φ |= xi = yi for some 1 ≤ i ≤ n.


Shostak Theories



2. T is convex.

3. T has a solver solve.


Shostak Theories



2. T is convex.

3. T has a solver solve.The solver solve must be a computable function fromΣ-equations to sets of Σ-formulas defined as follows:

(a) If T |= a 6= b, then solve(a = b) ≡ {False}.(b) Otherwise, solve(a = b) returns a set E of equations in

solved form such that T |= [(a = b) ↔ ∃w. E ], where ware fresh variables not appearing in a or b.


Shostak Theories



2. T is convex.




E is in solved form iff the left-hand side of each equationin E is a variable which appears only once in E .


Shostak Theories



2. T is convex.




We denote by E(X) the result of applying E as asubstitution to X.


Shostak Theories



2. T is convex.


4. T has a canonizer canon.


Shostak Theories



2. T is convex.


4. T has a canonizer canon.The canonizer canon must be a computable function fromΣ-terms to Σ-terms with the property that

T |= a = b iff canon(a) ≡ canon(b).


Algorithm Sh

Algorithm Sh checks the satisfiability in T of a set ofequalities, Γ, and an set of disequalities, ∆.Sh(Γ,∆, canon, solve)1. E := ∅;2. while Γ 6= ∅ do begin3. Remove some equality a = b from Γ;4. a∗ := E(a); b∗ := E(b);5. E∗ := solve(a∗ = b∗);6. if E∗ = {False} then return False;7. E := E∗(E) ∪ E∗;8. end9. if canon(E(a)) ≡ canon(E(b)) for some a 6= b ∈ ∆

then return False;10. return True;


Example

The most obvious example of a Shostak theory is TR(without ≤).

• Step 1: Use the solver to convert Γ into an equisatisfiableset E of equations in solved form.


Example



Γ E

−x− 3y + 2z = 1 −x− 3y + 2z = 1

x− y − 6z = 1

2x+ y − 10z = 3


Example



Γ E

x = −3y + 2z + 1 −x− 3y + 2z = 1

x− y − 6z = 1

2x+ y − 10z = 3


Example



Γ E

x− y − 6z = 1 x = −3y + 2z + 1

2x+ y − 10z = 3

2x+ y − 10z = 3


Example



Γ E

−4y − 4z + 1 = 1 x = −3y + 2z + 1

2x+ y − 10z = 3

2x+ y − 10z = 3


Example



Γ E

y = −z x = −3y + 2z + 1

2x+ y − 10z = 3

2x+ y − 10z = 3


Example



Γ E

y = −z x = 3z + 2z + 1

2x+ y − 10z = 3

2x+ y − 10z = 3 x = −3y + 2z + 1


Example



Γ E

2x+ y − 10z = 3 x = 5z + 1

y = −z

2x+ y − 10z = 3 x = −3y + 2z + 1


Example



Γ E

z = −1 x = 5z + 1

y = −z

2x+ y − 10z = 3 x = −3y + 2z + 1


Example



Γ E

z = −1 x = 5(−1) + 1

y = −(−1)

2x+ y − 10z = 3 x = −3y + 2z + 1


Example



Γ E

x = −4

y = 1

2x+ y − 10z = 3 z = −1


Example



Γ E

x = −4

y = 1

2x+ y − 10z = 3 z = −1

Note that for this theory, the main loop of Shostak’s algorithmis equivalent to Gaussian elimination with back-substitution.


Example



• Step 2: Use E and canon to check if any disequality isviolated:

For each a 6= b ∈ ∆, check ifcanon(E(a)) ≡ canon(E(b)).


Example





E ∆

x = −4 x 6= 4y

y = 1 x+ w 6= w + z − 3y

z = −1 −4 + w 6= w + (−1) − 3(1)


Example





E ∆

x = −4 −4 6= 4(1)

y = 1 x+ w 6= w + z − 3y

z = −1 −4 + w 6= w + (−1) − 3(1)


Example





E ∆

x = −4 −4 6= 4

y = 1 x+ w 6= w + z − 3y

z = −1 −4 + w 6= w + (−1) − 3(1)


Example





E ∆

x = −4 −4 6= 4

y = 1 −4 + w 6= w + (−1) − 3(1)

z = −1 −4 + w 6= w + (−1) − 3(1)


Example





E ∆

x = −4 −4 6= 4

y = 1 w + (−4) 6= w + (−4)

z = −1 −4 + w 6= w + (−1) − 3(1)


Other Shostak Theories

A few other theories can be handled using this algorithm:• TZ (without ≤) is also a Shostak theory.• A simple theory of lists (without the NULL list).

However, the idea of using solvers and canonizers can beapplied to help decide other theories as well:

• One component in decision procedures for TR and TZ(with ≤).

• Partial canonizing and solving is useful in TA.• Partial canonizing and solving is useful for the theory of

bit-vectors.


Shostak and Theory Combination

As mentioned, Shostak’s second claim is that a combinationwith TE can be easily achieved.

The details are a bit technical, and the easiest way tounderstand it is as a special case of a Nelson-Oppencombination.

The special part is that the abstract Nelson-Oppen is refinedin several ways that make implementation easier.

We will look at this next.


Shostak’s Method: Summary

Shostak’s method provides• a simple decision procedure for Shostak theories• insight into the usefulness of solvers and canonizers• insight into practical ways to refine Nelson-Oppen (next)

Shostak’s method does not provide• a general method for combining theories


Roadmap




The Nelson-Oppen Method

A very general method for combining decision procedures isthe Nelson-Oppen method [NO79, TH96].

This method is applicable when

1. The signatures Σi are disjoint.

2. The theories Ti are stably-infinite.A Σ-theory T is stably-infinite if every T -satisfiablequantifier-free Σ-formula is satisfiable in an infinitemodel.

3. The formulas to be tested for satisfiability areconjunctions of quantifier-free literals.

In practice, only the requirement that formulas bequantifier-free is a significant restriction.



Definitions

1. A member of Σi is an i-symbol.

2. A term t is an i-term if it starts with an i-symbol.

3. An atomic i-formula is an application of an i-predicate ,an equation whose lhs is an i-term, or an equation whoselhs is a variable and whose rhs is an i-term.

4. An i-literal is an atomic i-formula or the negation of one.

5. An occurrence of a term t in either an i-term or an i-literalis i-alien if t is a j-term with i 6= j and all of itssuper-terms (if any) are i-terms.

6. An expression is pure if it contains only variables andi-symbols for some i.



Now we can explain step one of the Nelson-Oppen method:

1. Conversion to Separate Form

Given a conjunction of literals, φ, we desire to convert it into aseparate form: a T -equisatisfiable conjunction of literalsφ1 ∧ φ2 ∧ · · · ∧ φn, where each φi is a Σi-formula.

The following algorithm accomplishes this:

1. Let ψ be some literal in φ.

2. If ψ is a pure i-literal, for some i, remove ψ from φ andadd ψ to φi; if φ is empty then stop; otherwise goto step 1.

3. Otherwise, ψ is an i-literal for some i. Let t be a termoccuring i-alien in ψ. Replace t in φ with a new variable z,and add z = t to φ. Goto step 1.



It is easy to see that φ is T -satisfiable iff φ1 ∧ · · · ∧ φn isT -satisfiable.

Furthermore, because each φi is a Σi-formula, we can runSat i on each φi.

Clearly, if Sat i reports that any φi is unsatisfiable, then φ isunsatisfiable.

But the converse is not true in general.

We need a way for the decision procedures to communicatewith each other about shared variables.

First a definition: If S is a set of terms and ∼ is anequivalence relation on S, then the arrangement of S inducedby ∼ is Ar∼ = {x = y | x ∼ y} ∪ {x 6= y | x 6∼ y}.



Suppose that T1 and T2 are theories with disjoint signaturesΣ1 and Σ2 respectively. Let T = Cn

⋃Ti and Σ =

⋃Σi. Given

a Σ-formula φ and decision procedures Sat 1 and Sat 2 for T1

and T2 respectively, we wish to determine if φ is T -satisfiable.The non-deterministic Nelson-Oppen algorithm for this is asfollows:

1. Convert φ to its separate form φ1 ∧ φ2.

2. Let S be the set of variables shared between φ1 and φ2.Guess an equivalence relation ∼ on S.

3. Run Sat 1 on φ1 ∪ Ar∼.

4. Run Sat 2 on φ2 ∪ Ar∼.



If there exists an equivalence relation ∼ such that both Sat 1

and Sat 2 succeed, then φ is T -satisfiable.

If no such equivalence relation exists, then φ isT -unsatisfiable.

The generalization to more than two theories isstraightforward.


Example

Consider the following ΣE ∪ ΣZ formula:

φ = 1 ≤ x ∧ x ≤ 2 ∧ f(x) 6= f(1) ∧ f(x) 6= f(2).


Example

Consider the following ΣE ∪ ΣZ formula:

φ = 1 ≤ x ∧ x ≤ 2 ∧ f(x) 6= f(1) ∧ f(x) 6= f(2).

We first convert φ to a separate form:

φE = f(x) 6= f(y) ∧ f(x) 6= f(z)φZ = 1 ≤ x ∧ x ≤ 2 ∧ y = 1 ∧ z = 2

The shared variables are {x, y, z}. There are 5 possiblearrangements based on equivalence classes of x, y, and z.


Example


1. {x = y, x = z, y = z}

2. {x = y, x 6= z, y 6= z}

3. {x 6= y, x = z, y 6= z}

4. {x 6= y, x 6= z, y = z}

5. {x 6= y, x 6= z, y 6= z}


Example


1. {x = y, x = z, y = z}: inconsistent with φE .

2. {x = y, x 6= z, y 6= z}

3. {x 6= y, x = z, y 6= z}

4. {x 6= y, x 6= z, y = z}

5. {x 6= y, x 6= z, y 6= z}


Example



2. {x = y, x 6= z, y 6= z}: inconsistent with φE .

3. {x 6= y, x = z, y 6= z}

4. {x 6= y, x 6= z, y = z}

5. {x 6= y, x 6= z, y 6= z}


Example




3. {x 6= y, x = z, y 6= z}: inconsistent with φE .

4. {x 6= y, x 6= z, y = z}

5. {x 6= y, x 6= z, y 6= z}


Example





4. {x 6= y, x 6= z, y = z}: inconsistent with φZ .

5. {x 6= y, x 6= z, y 6= z}


Example





4. {x 6= y, x 6= z, y = z}: inconsistent with φZ .

5. {x 6= y, x 6= z, y 6= z}: inconsistent with φZ .


Correctness of Nelson-Oppen

We define an interpretation of a signature Σ to be a model ofΣ together with a variable assignment. If A is aninterpretation, we write A |= φ to mean that φ is satisfied bythe model and variable assignment contained in A.

Two interpretations A and B are isomorphic if there exists anisomorphism h of the model of A into the model of B andh(xA) = xB for each variable x (where xA signifies the valueassigned to x by the variable assignment of A).

We furthermore define AΣ,V to be the restriction of A to thesymbols in Σ and the variables in V .



Theorem

Let Σ1 and Σ2 be signatures, and for i = 1, 2, let φi be a set ofΣi-formulas, and Vi the set of variables appearing in φi. Thenφ1 ∪ φ2 is satisfiable iff there exists a Σ1-interpretation Asatisfying φ1 and a Σ2-interpretation B satisfying φ2 such that:

AΣ1∩Σ2,V1∩V2 is isomorphic to BΣ1∩Σ2,V1∩V2 .



Proof

Let Σ = Σ1 ∩ Σ2 and V = V1 ∩ V2.Suppose φ1 ∪ φ2 is satisfiable. Let M be an interpretationsatisfying φ1 ∪ φ2. If we let A = MΣ1,V1 and B = MΣ2,V2 , thenclearly:

• A |= φ1

• B |= φ2

• AΣ,V is isomorphic to BΣ,V

On the other hand, suppose that we have A and B satisfyingthe three conditions listed above. Let h be an isomorphismfrom AΣ,V to BΣ,V .



We define an interpretation M as follows:• dom(M) = dom(A)

• For each variable or constant u, uM ={

uA if u ∈ (ΣC1 ∪ V1)

h−1(uB) otherwise

• For function symbols of arity n,

fM(a1, . . . , an) =

{fA(a1, . . . , an) if f ∈ ΣF

1

h−1(fB(h(a1), . . . , h(an))) otherwise

• For predicate symbols of arity n,(a1, . . . , an) ∈ PM iff (a1, . . . , an) ∈ PA if P ∈ ΣP

1

(a1, . . . , an) ∈ PM iff (h(a1), . . . , h(an)) ∈ PB

otherwise



By construction, MΣ1,V1 is isomorphic to A. In addition, it iseasy to verify that h is an isomorphism of MΣ2,V2 to B.

It follows by the homomorphism theorem (a standard theoremof first-order logic) that M satisfies φ1 ∪ φ2.

�



Theorem

Let Σ1 and Σ2 be signatures, with Σ1 ∩Σ2 = ∅, and for i = 1, 2,let φi be a set of Σi-formulas, and Vi the set of variablesappearing in φi. As before, let V = V1 ∩ V2. Then φ1 ∪ φ2 issatisfiable iff there exists an interpretation A satisfying φ1 andan interpretation B satisfying φ2 such that:

1. |A| = |B|, and

2. xA = yA iff xB = yB for every pair of variables x, y ∈ V .



Proof

Clearly, if φ1 ∪ φ2 is satisfiable in some interpretation M , thenthe only if direction holds by letting A = M and B = M .

Consider the converse. Let h : V A → V B be defined ash(xA) = xB. This definition is well-formed by property 2above.

In fact, h is bijective. To show that h is injective, leth(a1) = h(a2). Then there exist variables x, y ∈ V such thata1 = xA, a2 = yA, and xB = yB. By property 2, xA = yA, andtherefore a1 = a2.



To show that h is surjective, let b ∈ V B. Then there exists avariable x ∈ V B such that xB = b. But then h(xA) = b.

Since h is bijective, it follows that |V A| = |V B|, and since|A| = |B|, we also have that |A− V A| = |B − V B|. We cantherefore extend h to a bijective function h′ from A to B.

By construction, h′ is an isomorphism of AV to BV . Thus, bythe previous theorem, we can obtain an interpretationsatisfying φ1 ∪ φ2.

�



We can now prove the correctness of the non-deterministicNelson-Oppen method:

Theorem

Let Ti be a stably-infinite Σi-theory, for i = 1, 2, and supposethat Σ1 ∩Σ2 = ∅. Also, let φi be a set of Σi literals, i = 1, 2, andlet S be the set of variables appearing in both φ1 and φ2. Thenφ1 ∪ φ2 is T1 ∪ T2-satisfiable iff there exists an equivalencerelation ∼ on S such that φi ∪ Ar∼ is Ti-satisfiable, i = 1, 2.



Proof

(⇒) Suppose M is an interpretation satisfying φ1 ∪ φ2. Definex ∼ y iff x, y ∈ S and xM = yM . By construction, M is aTi-interpretation satisfying φi ∪ Ar∼, i = 1, 2.

(⇐) Suppose there exists ∼ such that φi ∪ Ar∼ isTi-satisfiable, i = 1, 2. Since each Ti is stably-infinite, there isare infinite interpretations A and B such that A satisfiesφ1 ∪ Ar∼ and B satisfies φ2 ∪ Ar∼.

By another standard theorem (LST), we can take the leastupper bound of |A| and |B| and obtain interpretations of thatcardinality.

Then we have |A| = |B| and xA = yA iff xB = yB for everyvariable x, y ∈ S. By the previous theorem, there exists of a(Σ1 ∪ Σ2)-interpretation satisfying φ1 ∪ φ2. �


Nelson-Oppen Example

Consider the following example in a combination of TE , TZ ,and TA:

¬p(y) ∧ s = write (t, i, 0) ∧ x− y − z = 0 ∧z + read (s, i) = f(x− y) ∧ p(x− f(f(z))).

After purification, we have the following:

ϕE ϕZ ϕA

¬p(y) l − z = j s = write (t, i, j)

m = f(l) j = 0 k = read (s, i)

p(v) l = x− y

n = f(f(z)) m = z + k

v = x− n


Example

ϕE ϕZ ϕA

¬p(y) l − z = j s = write (t, i, j)

m = f(l) j = 0 k = read (s, i)

p(v) l = x− y

n = f(f(z)) m = z + k

v = x− n

There are 12 constants in this example:• Shared: l, z, j, y,m, k, v, n• Unshared: x, s, t, i

There are 21147 arrangements of {l, z, j, y,m, k, v, n}.Clearly, a practical implementation cannot consider all ofthese separately.


Implementing Nelson-Oppen

In order to obtain a more practical implementation ofNelson-Oppen, we will consider the following refinements:

• Eliminating the purification step• Incremental processing with theory-specific rewrites• Strategies for searching through arrangements



As most implementers of SMT systems will tell you, thepurification step is not really necessary in practice.

In fact, a simple variation of Nelson-Oppen can be obtainedthat does not require purification [BDS02b].

Given a set of mixed (impure) literals Γ, define a shared termto be any term in Γ which occurs i-alien for some i in someliteral or sub-term in Γ.

Note that these are exactly the terms that would have beenreplaced with new constants in the purification step.

Assume also that each Sat i is modified so that it treats alienterms as constants.



The following is a variation of Nelson-Oppen which does notuse purification.

1. Partition Γ into sets ϕi, where each literal in ϕi is ani-literal (literals containing only equalities betweenvariables can go anywhere).

2. Let S be the set of shared terms in Γ.

3. For each arrangement ∆ of S,Check Sat i(ϕi ∧ ∆) for each i.


Example

Consider again the example from before:


After partitioning, we have the following:

ϕE ϕZ ϕA

¬p(y) x− y − z = 0 s = write (t, i, 0)

p(x− f(f(z))) z + read (s, i) = f(x− y)

The shared terms are:

read (s, i), x− y, f(x− y), 0, y, z, f(f(z)), x− f(f(z)).

Unfortunately, there are still too many arrangements.



The next refinement is to process Γ incrementally, allowingtheory-specific rewrites that can potentially reduce thenumber of shared terms.

Examples of theory-specific rewrites include canonization orpartial canonization and simplification based on previouslyseen literals.

1. For each ϕ ∈ Γ

(a) (Optionally) apply theory-specific rewrites to ϕ to get ϕ′

(b) Identify the shared terms in ϕ′ and add these to S(c) Where ϕ′ is an i-literal, add ϕ′ to ϕi

2. For each arrangement ∆ of S,Check Sat i(ϕi ∧ ∆) for each i.


Example

Let’s see what happens if we process our exampleincrementally:


ϕE ϕZ ϕA

¬p(y) x = y + z s = write (t, i, 0)

p(y) z = f(z)

The shared terms are: 0, y, z, f(z). There are only 52arrangements now.

More importantly, ϕE is now inconsistent in the theory TE ,making it unnecessary to examine any arrangements.



We have seen two ways to avoid searching through too manyarrangements:

1. Reduce the number of shared terms

2. Detect an inconsistency early

As a further example of (2), we can build arrangementsincrementally, backtracking if any theory detects aninconsistency.

For convex theories, this strategy is very efficient.

For non-convex theories, we may have to explore the entiresearch space of arrangements.



The strategies we have looked at so far do not assume anyhelp from the theory decision procedures (beyond the abilityto determine inconsistency).

If the theory decision procedures are able to give additionalinformation, it may significantly help to prune the arrangementsearch.

The next refinement of our algorithm captures this.



1. For each ϕ ∈ Γ

(a) (Optional) Apply theory-specific rewrites to ϕ to get ϕ′

(b) Identify the shared terms in ϕ′ and add these to S(c) Where ϕ′ is an i-literal, add ϕ′ to ϕi

(d) (Optional) If ϕi |= s1 = s2 or ϕi |= s1 6= s2, s1, s2 ∈ S,add this fact to Γ.

2. Incrementally search through arrangements ∆ of S thatare consistent with

∧ϕi. For each arrangement, check

Sat i(ϕi ∧ ∆) for each i.



Finally, for maximum efficiency and flexibility, we can push theentire burden of arrangement finding onto the theory decisionprocedures.

Suppose Φ =∧ϕi is the partition of literals from Γ that have

been processed so far and that S is the set of shared terms.

The equivalence relation R on S induced by Φ is defined asfollows: for x, y ∈ S, xRy iff x = y ∈ ϕi for some i.

The arrangement ∆(Φ) of S induced by Φ is the arrangementinduced by R.



For each ϕ ∈ Γ:

1. (Optional) Apply theory-specific rewrites to ϕ to get ϕ′

2. Identify the shared terms in ϕ′ and add these to S

3. Where ϕ′ is an i-literal, add ϕ′ to ϕi

4. If ϕi ∧ ∆(Φ) is not satisfiable, compute some formula ψsuch that ϕi |= ψ and ψ∧∆(Φ) is inconsistent. Add ψ to Γ.



For each ϕ ∈ Γ:





Some notes:• In general, ψ does not have to be a literal. In this case, ψ

must be processed by the SAT solver (more on this next).• Theories can be lazy until Γ is empty.• Termination becomes the responsibility of the theory

decision procedures.



For each ϕ ∈ Γ:





More notes:• It is not hard to fit a Shostak-style decision procedure into

this framework.• This is essentially the algorithm used in the CVC

tools [Bar03].


Roadmap




Combining with SAT

Theory solvers check the satisfiability of conjunctions ofliterals.

What about more general Boolean combinations of literals?

What is needed is a combination of SAT reasoning and theoryreasoning.

The so-called eager approach to SMT tries to find ways ofencoding everything into SAT. There are a variety oftechniques and for some theories, this works quite well.

Here, I will focus on the lazy combination of SAT and Theoryreasoning. The lazy approach is the basis for most modernSMT solvers [? BDS02a].


Abstract DPLL Modulo Theories

The Abstract DPLL Modulo Theories framework extends theAbstract DPLL framework, providing an abstract and formalsetting for reasoning about the combination of SAT andtheory reasoning [NOT06].

Assume we have a theory T with signature Σ and a solverSat T that can check T -satisfiability of conjunctions ofΣ-literals.

Suppose we want to check the satisfiability of an arbitray(quantifier-free) Σ-formula φ.

We start by converting φ to CNF.

Now, let’s consider using the Abstract DPLL rules (allowingany first-order literal where before we had propositionalliterals).


Abstract DPLL Rules

UnitProp :

M || F, C ∨ l =⇒ M l || F, C ∨ l if

8

<

:

M |= ¬C

l is undefined in M

PureLiteral :

M || F =⇒ M l || F if

8

>

>

<

>

>

:

l occurs in some clause of F

−l occurs in no clause of F

l is undefined in M

Decide :

M || F =⇒ M ld || F if

8

<

:

l or ¬l occurs in a clause of F

l is undefined in M

Fail :

M || F, C =⇒ fail if

8

<

:

M |= ¬C

M contains no decision literals


Abstract DPLL Rules

Backjump :

M ld N || F, C =⇒ M l′ || F, C if

8

>

>

>

>

>

>

>

<

>

>

>

>

>

>

>

:

M ld N |= ¬C, and there is

some clause C′ ∨ l′ such that:

F, C |= C′ ∨ l′ and M |= ¬C′,

l′ is undefined in M , and

l′ or ¬l′ occurs in F or in M ld N

Learn :

M || F =⇒ M || F, C if

8

<

:

all atoms of C occur in F

F |= C

Forget :

M || F, C =⇒ M || F if

n

F |= C

Restart :

M || F =⇒ ∅ || F



The first change is to the definition of a final state. A finalstate is now:

• the special fail state: fail , or• M || F , where M |= F , and Sat T (M) reports satisfiable.





What happens if we reach a state in which: M || F , M |= F ,and Sat T (M) reports unsatisfiable? (call this a pseudo-finalstate)






We need to backtrack. The SAT solver will take care of thisautomatically if we can add a clause C such that M |= ¬C.







What clause should we add?







What clause should we add? How about ¬M?



The justification for adding ¬M is that T |= ¬M .

We can generalize this to any clause C such that T |= C. Thefollowing modified Learn rule allows this (we also modify theForget rule in an analagous way):

Theory Learn :

M || F =⇒ M || F, C if

8

<

:

all atoms of C occur in F

F |=T C

Theory Forget :

M || F, C =⇒ M || F if

n

F |=T C



The resulting set of rules is almost enough to correctlyimplement an SMT solver. We need one more change.




A somewhat surprising observation is that the pure literal rulehas to be abandoned. Why?





Propositional literals are independent of each other, but firstorder literals may not be.





Propositional literals are independent of each other, but firstorder literals may not be.

The remaining rules form a sound and complete procedurefor SMT.


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (UnitProp)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (UnitProp)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Theory Learn)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (UnitProp)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Theory Learn)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (UnitProp)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Theory Learn)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (UnitProp)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Theory Learn)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (Theory Learn)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3, 1 ∨ 2 ∨ 3 ∨ 4


From SAT to SMT

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Backjump)

1 2d

4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (UnitProp)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4 =⇒ (Theory Learn)

1 2d

4 3 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3 =⇒ (Theory Learn)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 ∨ 4, 1 ∨ 2 ∨ 4 ∨ 3, 1 ∨ 2 ∨ 3 ∨ 4 =⇒ (Fail)

fail


Improving Abstract DPLL Modulo Theories

We will mention three ways to improve the algorithm.

• Minimizing learned clauses• Eager conflict detection• Theory propagation


Minimizing Learned Clauses

The main difficulty with the approach as it stands is thatlearned clauses can be highly redundant.

Suppose that F contains n+ 2 propositional variables.

When a pseudo-final state is reached, M will determine avalue for all n+ 2 variables.

But what if only 2 of these assignments are alreadyT -unsatisfiable?

If we always learn ¬M in a pseudo-final state, in the worstcase, 2n clauses will be need to be learned when a singleclause containing the two offending literals would havesufficed.



To avoid this kind of redundancy, we can be smarter aboutthe clauses that are learned with Theory Learn.

In particular, when Sat T (M) is called, we should make aneffort to find the smallest possible subset of M which isinconsistent.

We can then learn a clause derived from only these literals.

One way to implement this is to start removing literals one ata time from M and repeatedly call Sat T until a minimalinconsistent set is found.

However, this is typically too slow to be practical.



A better, but more difficult way to implement this is toinstrument Sat T to keep track of which facts are used toderive an inconsistency.

We can use a data structure similar to the implication graphdiscussed earlier.

Alternatively, if Sat T happens to produce proofs, the proof ofunsatisfiability of M can be traversed to obtain thisinformation.

This is the approach used in the CVC tools.


From SAT to SMT — Minimized Clauses

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Theory Learn)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2, 1 ∨ 3 ∨ 4



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

4d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Theory Learn)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2, 1 ∨ 3 ∨ 4 =⇒ (Fail)

fail


Eager Conflict Detection

Currently, we have indicated that we will check M forT -satisfiability only when a pseudo-final state is reached.

In contrast, a more eager policy would be to check M forT -satisfiability every time M changes.

Experimental results show that this approach is significantlybetter.

It requires Sat T be online: able quickly to determine theconsistency of incrementally more literals or to backtrack to aprevious state.

It also requires that the SAT solver be instrumented to callSat T every time a variable is assigned a value.


From SAT to SMT — Eager Conflict Detection

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Theory Learn)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2, 1 ∨ 3 ∨ 4



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Decide)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Learn)

1 2d

|| 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Backjump)

1 2 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (UnitProp)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2 =⇒ (Theory Learn)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3, 1 ∨ 2, 1 ∨ 3 ∨ 4 =⇒ (Fail)

fail


Theory Propagation

A final improvement is to add the following rule:Theory Propagate :

M || F =⇒ M l || F if

8

>

>

<

>

>

:

M |=T l

l or ¬l occurs in F

l is undefined in M

This rule allows a theory solver to inform the SAT solver if ithappens to know that an unassigned literal is entailed by M .

Experimental results show that this can also be very helpful inpractice.


From SAT to SMT — Theory Propagation

g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Propagate)

1 2 || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)


1 2 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 2 3 || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)


1 2 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 2 3 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Propagate)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3



g(a) = c︸︷︷︸

1

∧ f(g(a)) 6= f(c)︸︷︷︸

2

∨ g(a) = d︸︷︷︸

3

∧ c 6= d︸︷︷︸

4

∨ g(a) 6= d︸︷︷︸

3

∅ || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)


1 2 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (UnitProp)

1 2 3 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Theory Propagate)

1 2 3 4 || 1, 2 ∨ 3, 4 ∨ 3 =⇒ (Fail)

fail


Extensions

We briefly mention two extensions.

The first is to allow the theory solver to use the SAT solver forinternal case splitting [BNOT06]

We do this by allowing the learning rule to introduce newvariables and terms

Extended T-Learn :

M || F =⇒ M || F, C if

8

<

:

each atom of C occurs in F or in L(M)

F |=T ∃∗(C)


Example: Theory of Sets

Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):

∅ || F

x = {y}, x = y ∪ z, y = ∅d, x 6= z || F



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):

∅ || F =⇒ UnitProp

x = {y}, x = y ∪ z || F

x = {y}, x = y ∪ z, y = ∅d, x 6= z || F



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide

x = {y}, x = y ∪ z, y = ∅d || F

x = {y}, x = y ∪ z, y = ∅d, x 6= z || F



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide

x = {y}, x = y ∪ z, y = ∅d || F =⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z || F



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide


x = {y}, x = y ∪ z, y = ∅d, x 6= z || F =⇒ Extended T-Learn

x = {y}, x = y ∪ z, y = ∅d, x 6= z || F, (x = z ∨ w ∈ x ∨ w ∈ z), (x = z ∨ w 6∈ x ∨ w 6∈ z)



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z

w ∈ xd|| F, (x = z ∨ w ∈ x ∨ w ∈ z), (x = z ∨ w 6∈ x ∨ w 6∈ z)



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z


=⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z

w ∈ xd, w 6∈ z|| F, (x = z ∨ w ∈ x ∨ w ∈ z), (x = z ∨ w 6∈ x ∨ w 6∈ z)



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z


=⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z


Theory: w ∈ y ∪ z



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z


=⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z


Theory: w ∈ y ∪ z . . . w ∈ y



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z


=⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z


Theory: w ∈ y ∪ z . . . w ∈ y . . . w ∈ ∅



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z


=⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z


Theory: w ∈ y ∪ z . . . w ∈ y . . . w ∈ ∅ . . . ⊥



Let F = (x = {y}), (x = y ∪ z), (y 6= ∅ ∨ x 6= z):


x = {y}, x = y ∪ z || F =⇒ Decide




=⇒ Decide

x = {y}, x = y ∪ z, y = ∅d, x 6= z


=⇒ UnitProp

x = {y}, x = y ∪ z, y = ∅d, x 6= z


Theory: w ∈ y ∪ z . . . w ∈ y . . . w ∈ ∅ . . . ⊥

=⇒ Backjump

. . .


Quantifiers

The Abstract DPLL Modulo Theories framework can also beextended to include rules for quantifier instantiation [GBT07].

• First, we extend the notion of literal to that of an abstractliteral which may include quantified formulas in place ofatomic formulas.

• Add two additional rules:

Inst_∃ :

M || F =⇒ M || F, (¬∃x. P ∨ P [x/sk]) if

8

<

:

∃x P is an abstract literal in M

sk is a fresh constant.

Inst_∀ :

M || F =⇒ M || F, (¬∀x. P ∨ P [x/t]) if

8

<

:

∀x P is an abstract literal in M

t is a ground term.


An Example

Suppose a and b are constant symbols and f is anuninterpreted function symbol. We show how to prove thevalidity of the following formula:

(0 ≤ b ∧ (∀x. 0 ≤ x→ f(x) = a)) → f(b) = a

We first negate the formula and put it into abstract CNF. Theresult is three unit clauses:

(0 ≤ b) ∧ (∀x. (¬0 ≤ x ∨ f(x) = a)) ∧ (¬f(b) = a)


An Example

Let l1, l2, l3 denote the three abstract literals in the aboveclauses. Then the following is a derivation in the extendedframework:

∅ || (l1)(l2)(l3) =⇒ (UnitProp)

l1, l2, l3 || (l1)(l2)(l3) =⇒ (Inst_∀)

l1, l2, l3 || (l1)(l2)(l3)(¬(0 ≤ b) ∨ f(b) = a) =⇒ (Fail)

fail

The last transition is possible because M falsifies the lastclause in F and contains no decisions (case-splits). As aresult, we may conclude that the original set of clauses isunsatisfiable, which implies that the original formula is valid.


Quantifiers

The simple technique of quantifier instantiation is remarkablyeffective on verification benchmarks.

The main difficulty is coming up with the right terms toinstantiate.

Matching techniques pioneered by Simplify [DNS03] haverecently been adopted and improved by several modern SMTsolvers [BdM07, GBT07].


SMT Solvers: State of the Art

Building on the fast SAT technology, SMT solvers haveimproving dramatically.

The winners of this year’s SMT competition are orders ofmagnitude faster than those of just a couple of years ago.

Current leading solvers include:• Barcelogic (U Barcelona, Spain)• CVC3 (NYU, U Iowa)• MathSAT (U Trento, Italy)• Yices (SRI)• Z3 (Microsoft)

SMT solvers are becoming the engine of choice for anever-increasing set of verification applications.


Roadmap




Modeling

The language of SMT allows us to model at a higher level ofabstraction.

Consider again the circuit example.


Running Example

��

��

��

��

=

+1

+2

1

0

1

0

1

0

test

x

y

z

a

a

a


Modeling

Recall that the invariant of the circuit is captured by thefollowing formula:(y = x + 1 AND z = x + 2 ANDx’ = IF a THEN x ELSE y ANDy’ = IF a THEN y ELSE z ANDz’ = IF a THEN z ELSE y + 2) IMPLIESy’ = x’ + 1 AND z’ = x’ + 2

When using a SAT solver, this formula had to be encoded intopropositional logic

Using an SMT solver, the formula can be solved as it is


Modeling

Notice that at this level of abstraction, we can prove theformula is true for arbitrary integers, eliminating the need toconsider the size of the registers

Alternatively, if we are concerned about overflow, we can usethe theory of bitvectors, which still has the advantage that thesize of the formula does not increase with increasingbit-width.


Modeling Software Using SMT

Consider the following lines of code:

l0 : a[i] := a[i] + 1;

l1 : a[i+ 1] := a[i− 1] − 1;

l2 :

This can be modeled in SMT as follows:

i0, i1, i2 : INT;

a0, a1, a2 : ARRAY INT OF INT;

ASSERT (a1 = a0 WITH [i0] := a0[i0]+1) AND (i1 = i0);

ASSERT (a2 = a1 WITH [i1+1] := a1[i1-1]-1) AND (i2 = i1);


Modeling Software Using SMT

A proof rule used in compiler verification needs to checkwhether the result is equivalent when the two statements areswapped. This can be modeled as follows:

i0, i1, i2, i3, i4 : INT;

a0, a1, a2, a3, a4 : ARRAY INT OF INT;





QUERY (i2 = i4 AND a2 = a4);


Modeling Reactive Systems Using CVC3

A more efficient encoding ignores variables that do notchange and uses the LET construct to introduce temporaryexpressions.

i : INT;

a : ARRAY INT OF INT;

QUERY

(LET a1 = a WITH [i] := a[i]+1 IN

a1 WITH [i+1] := a1[i-1]-1) =

(LET a1 = a WITH [i+1] := a[i-1]-1 IN

a1 WITH [i] := a1[i]+1);


Some Challenges

• Better integration of SAT and SMT• More complete techniques for quantifiers• Parallel SMT• Improving the SMT-LIB standard• Producing and Checking Proofs• Nonlinear arithmetic


References

[Bar03] Clark Barrett. Checking Validity of Quantifier-Free Formulas in Combinations ofFirst-Order Theories. PhD thesis, Stanford University, 2003

[BdM07] Nikolaj Bjørner and Leonardo de Moura. Efficient E-matching for SMT solvers. InFrank Pfenning, editor, Proceedings of the 21st International Conference onAutomated Deduction (CADE ’07), volume 4603 of Lecture Notes in ArtificialIntelligence, pages 183–198. Springer-Verlag, July 2007

[BDL98] Clark W. Barrett, David L. Dill, and Jeremy R. Levitt. A decision procedure forbit-vector arithmetic. In Proceedings of the 35th Design Automation Conference (DAC’98), pages 522–527. Association for Computing Machinery, June 1998. SanFrancisco, California. Best paper award

[BDS02a] Clark W. Barrett, David L. Dill, and Aaron Stump. Checking satisfiability offirst-order formulas by incremental translation to SAT. In Ed Brinksma andKim Guldstrand Larsen, editors, Proceedings of the 14th International Conference onComputer Aided Verification (CAV ’02), volume 2404 of Lecture Notes in ComputerScience, pages 236–249. Springer-Verlag, July 2002. Copenhagen, Denmark


References

[BDS02b] Clark W. Barrett, David L. Dill, and Aaron Stump. A generalization of Shostak’smethod for combining decision procedures. In Alessandro Armando, editor,Proceedings of the 4th International Workshop on Frontiers of Combining Systems(FroCoS ’02), volume 2309 of Lecture Notes in Artificial Intelligence, pages 132–146.Springer-Verlag, April 2002. Santa Margherita Ligure, Italy

[BNOT06] Clark Barrett, Robert Nieuwenhuis, Albert Oliveras, and Cesare Tinelli. Splitting ondemand in SAT modulo theories. In Miki Hermann and Andrei Voronkov, editors,Proceedings of the 13th International Conference on Logic for Programming, ArtificialIntelligence, and Reasoning (LPAR ’06), volume 4246 of Lecture Notes in ComputerScience, pages 512–526. Springer-Verlag, November 2006. Phnom Penh, Cambodia

[BP98] Nikolaj Bjørner and Mark C. Pichora. Deciding fixed and non-fixed size bit-vectors. InTACAS ’98: Proceedings of the 4th International Conference on Tools and Algorithmsfor Construction and Analysis of Systems, pages 376–392. Springer-Verlag, 1998

[BST07] Clark Barrett, Igor Shikanian, and Cesare Tinelli. An abstract decision procedure fora theory of inductive data types. Journal on Satisfiability, Boolean Modeling andComputation, 3:21–46, 2007


References

[CLS96] D. Cyrluk, P. Lincoln, and N. Shankar. On shostak’s decision procedure forcombinations of theories. In M. McRobbie and J. Slaney, editors, 13th InternationalConference on Computer Aided Deduction, volume 1104 of Lecture Notes inComputer Science, pages 463–477. Springer-Verlag, 1996

[CMR97] David Cyrluk, M. Oliver Möller, and Harald Ruess. An efficient decision procedurefor the theory of fixed-size bit-vectors. In Proceedings of the 9th InternationalConference on Computer Aided Verification (CAV ’97), pages 60–71. Springer-Verlag,1997

[CZ00] Domenico. Cantone and Calogero G. Zarba. A new fast tableau-based decisionprocedure for an unquantified fragment of set theory. In Ricardo Caferra and GernotSalzer, editors, Automated Deduction in Classical and Non-Classical Logics, volume1761 of Lecture Notes in Artificial Intelligence, pages 127–137. Springer, 2000

[dMRS02] L. de Moura, H. Rueß, and M. Sorea. Lazy Theorem Proving for Bounded ModelChecking over Infinite Domains. In Proc. of the 18th International Conference onAutomated Deduction, volume 2392 of LNCS, pages 438–455. Springer, July 2002

[DNS03] David Detlefs, Greg Nelson, and James B. Saxe. Simplify: A theorem prover forprogram checking. Technical Report HPL-2003-148, HP Laboratories Palo Alto, 2003


References[End00] Herbert B. Enderton. A Mathematical Introduction to Logic. Undergraduate Texts in

Mathematics. Academic Press, second edition edition, 2000

[EKM98] Jacob Elgaard, Nils Klarlund, and Anders Möller. Mona 1.x: New techniques forWS1S and WS2S. In Proceedings of the 10th International Conference on ComputerAided Verification (CAV ’98), volume 1427 of Lecture Notes in Computer Science.Springer-Verlag, 1998

[Gan02] Harald Ganzinger. Shostak light. In Andrei Voronkov, editor, Automated Deduction –CADE-18, volume 2392 of Lecture Notes in Computer Science, pages 332–346.Springer, 2002

[GBD05] Vijay Ganesh, Sergey Berezin, and David L. Dill. A decision procedure forfixed-width bit-vectors, January 2005. Unpublished Manuscript

[GBT07] Yeting Ge, Clark Barrett, and Cesare Tinelli. Solving quantified verificationcondisions using satisfiability modulo theories. In Proceedings of the 21st InternationalConference on Automated Deduction (CADE ’07), Lecture Notes in ArtificialIntelligence. Springer-Verlag, July 2007. Bremen, Germany

[KC03] Sava Krstic and Sylvain Conchon. Canonization for disjoint union of theories. InProceedings of the 19th International Conference on Computer Aided Deduction(CADE ’03), 2003


References

[LQ08] S. K. Lahiri and S. Qadeer. Back to the future: Revisiting precise program verificationusing smt solvers. In Proceedings of the 35th Annual ACM SIGPLAN - SIGACTSymposium on Principles of Programming Languages, 2008

[Mol97] M. Oliver Möller. Solving Bit-Vector Equations – a Decision Procedure for HardwareVerification. PhD thesis, University of Ulm, 1997

[MZ03] Zohar Manna and Calogero Zarba. Combining decision procedures. In FormalMethods at the Crossroads: from Panacea to Foundational Support, volume 2787 ofLecture Notes in Computer Science, pages 381–422. Springer-Verlag, November 2003

[NO79] Greg Nelson and Derek C. Oppen. Simplification by cooperating decisionprocedures. ACM Trans. on Programming Languages and Systems, 1(2):245–257,October 1979

[NO80] Greg Nelson and Derek C. Oppen. Fast decision procedures based on congruenceclosure. Journal of the ACM, 27(2):356–364, 1980

[NOT06] Robert Nieuwenhuis, Albert Oliveras, and Cesare Tinelli. Solving SAT and SATModulo Theories: from an Abstract Davis-Putnam-Logemann-Loveland Procedure toDPLL(T). Journal of the ACM, 53(6):937–977, November 2006


References

[Opp80] Derek C. Oppen. Reasoning about recursively defined data structures. J. ACM,27(3):403–411, 1980

[RBH07] Zvonimir Rakamaric, Jesse Bingham, and Alan J. Hu. An inference-rule-baseddecision procedure for verification of heap-manipulating programs with mutable dataand cyclic data structures. In Verification, Model Checking, and Abstract Interpretation:8th International Conference, pages 106–121. Springer, 2007. Lecture Notes inComputer Science Vol. 4349

[RS01] H. Ruess and N. Shankar. Deconstructing shostak. In 16th Annual IEEE Symposiumon Logic in Computer Science, pages 19–28, June 2001

[Sho84] R. Shostak. Deciding combinations of theories. Journal of the Association forComputing Machinery, 31(1):1–12, 1984

[TH96] C. Tinelli and M. Harandi. A new correctness proof of the nelson-oppen combinationprocedure. In F. Baader and K. Schulz, editors, 1st International Workshop onFrontiers of Combining Systems (FroCoS’96), volume 3 of Applied Logic Series.Kluwer Academic Publishers, 1996


References

[YRS+06] Greta Yorsh, Alexander Rabinovich, Mooly Sagiv, Antoine Meyer, and AhmedBouajjani. A logic of reachable patterns in linked data-structures. In Proceedings ofFoundations of Software Science and Computation Structures (FOSSACS ’06), 2006

[ZSM04a] T. Zhang, H. B. Sipma, and Z. Manna. Decision procedures for term algebras withinteger constraints. In Proceedings of the 2nd International Joint Conference onAutomated Reasoning (IJCAR ’04) LNCS 3097, pages 152–167, 2004

[ZSM04b] Ting Zhang, Henny B. Sipma, and Zohar Manna. Term algebras with lengthfunction and bounded quantifier alternation. In Proceedings of the 17th InternationalConference on Theorem Proving in Higher Order Logics (TPHOLs ’04), volume 3223of Lecture Notes in Computer Science, pages 321–336, 2004


SMT Solvers: Theory and Practice - Max Planck Society · SMT Solvers: Theory and Practice Clark...

Documents

Transcript of SMT Solvers: Theory and Practice - Max Planck Society · SMT Solvers: Theory and Practice Clark...